Bug Bounty Programs Improve Companies’ Cybersecurity

The global hotel organization Hyatt announced that it is launching a bug bounty program in order to take the best care of its customers’ cybersecurity, eWEEK reports. This means that external security experts (not staff members) will be given the task to look for software vulnerabilities and will be asked to disclose them only to the researched entity.

This happens only about a month after the massive cybersecurity breach of a rival hostility company, namely Marriott International Inc. As we informed you in December, Marriott International reported that the personal data of about 327 million of their guests had been stolen during the penetration of its Starwood guest reservation database. It included some combination of a phone number, name, mailing address, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and even credit card information.

Now more than 150 people are suing the hotel chain in a federal class-action lawsuit, Vox website reports. The suit was filed at Maryland federal district court on January 9, claiming that Marriott did not act adequately both before the breach and after it was revealed. The victims’ claims are supported by a report which the Wall Street Journal released. It showed that Starwood was the target of another attack in 2015. Hackers then have had access to the system for eight months before being detected. Experts ask the question – could the huge breach have been avoided if external experts had been hired?

Apparently, Hyatt has learned from their direct rival’s mistakes and paid closer attention to strengthening its cybesecurty. The hotel chain has hired HackerOne, a bug bounty program provider, with a private invitation-only period. It turned out that the system works since 14 vulnerabilities have been resolved.

HackerOne CEO Marten Mickos commented for eWEEK the link between Marriott’s breach exposure and Hyatt’s announcement of hiring his company:

“We work long term and strategically with our customers, and programs are launched based on when is best for our customer, not based on external events. As a general rule, every organization should welcome security input from hackers, and the more open the program is, the more benefit it will bring.”

Mickos also said that it is time for companies and institutions to start relying on external experts when it comes to their cybersecurity. As smaller enterprises usually cannot afford permanently hired security staff member, it is logical to turn to companies specializing in this.

“In line with that principle, we hope that every hotel and hospitality company will reduce their cyber-risk by launching vulnerability disclosure or bug bounty programs. This will be a welcome improvement for all of society,” he added.

Hyatt, however, is not a sole example of bug bounty program implementation. Recently, Tesla announced that a hacker who finds a software vulnerability in its Model 3, would get the car as a reward.

David Lau, Tesla’s vice president of vehicle software, said:

“Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle – we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community.”

You can see what the result is when you neglect your cybersecurity by cutting budget from hiring experts. It can literally cost you losing your business. Don’t wait for too long to learn from your own mistakes. Better learn from others’ ones and from the best practices as well. Contact AMATAS – we can help you protect your business.